Cobalt
Summary of Actor:Cobalt, also known as Cobalt Group or Cobalt Gang, is a cybercriminal group primarily known for its bank heists and financially motivated attacks. The group has been active since at least 2016 and is notorious for its sophisticated malware and tactics that target financial institutions globally.
General Features:Cobalt is known for its use of spear-phishing emails to deliver malicious payloads. The group primarily targets banking institutions, ATMs, and financial entities, using custom malware and sophisticated hacking techniques to steal funds. They have been linked to numerous high-profile cyber heists.
Related Other Groups: Carbanak,FIN7
Indicators of Attack (IoA):
- Spear-phishing emails
- Use of custom malware such as Cobalt Strike
- Credential theft
- Lateral movement within networks
Recent Activities and Trends:
- Latest Campaigns : The latest campaigns by Cobalt involve the use of phishing emails with malicious attachments that exploit vulnerabilities in Microsoft Office. These campaigns focus on financial institutions in various regions, particularly targeting banks' internal networks.
- Emerging Trends : Cobalt has been seen leveraging more zero-day exploits and increasingly using living-off-the-land techniques to avoid detection. They are also shifting towards targeting cryptocurrency exchanges and blockchain-related financial entities.
Mule Libra
ATK 67
Cobalt Gang
Cobalt Spider
Gold Kingswood
+2
Kazakhstan
Turkey
Romania
Spain
Czech
+26
Target Sectors
Retail
Finance
Electrical&Electronical Manufacturing
Associated Malware/Software
LNK
SDelete
win.lokipws
More_eggs
Mimikatz
+15
️Related CVEs
ATT&CK IDs:
T1037
T1505 - Server Software Component
T1550
T1136 - Create Account
T1486 - Data Encrypted for Impact
+212
Tactic | Id | Technique | |||
---|---|---|---|---|---|
Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
Collection | T1123 | Audio Capture |
Sub Techniques |
Detections |
Mitigations |
Collection | T1005 | Data from Local System |
Sub Techniques |
Detections |
Mitigations |
Collection | T1530 | Data from Cloud Storage |
Sub Techniques |
Detections |
Mitigations |
Collection | T1074 | Data Staged |
Sub Techniques |
Detections |
Mitigations |
Collection | T1560 | Archive Collected Data |
Sub Techniques |
Detections |
Mitigations |
Collection | T1114 | Email Collection |
Sub Techniques |
Detections |
Mitigations |
Collection | T1113 | Screen Capture |
Sub Techniques |
Detections |
Mitigations |
Collection | T1115 | Clipboard Data |
Sub Techniques |
Detections |
Mitigations |
Collection | T1039 | Data from Network Shared Drive |
Sub Techniques |
Detections |
Mitigations |
Collection | T1185 | Browser Session Hijacking |
Sub Techniques |
Detections |
Mitigations |
Collection | T1119 | Automated Collection |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1132 | Data Encoding |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1571 | Non-Standard Port |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1008 | Fallback Channels |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1090 | Proxy |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1219 | Remote Access Software |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1043 | Commonly Used Port |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1095 | Non-Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1102 | Web Service |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1572 | Protocol Tunneling |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1001 | Data Obfuscation |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1094 | Custom Command and Control Protocol |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1573 | Encrypted Channel |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1003 | OS Credential Dumping |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1555 | Credentials from Password Stores |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1081 | Credentials in Files |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1558 | Steal or Forge Kerberos Tickets |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1539 | Steal Web Session Cookie |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1110 | Brute Force |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1552 | Unsecured Credentials |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1187 | Forced Authentication |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1503 | Credentials from Web Browsers |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1130 | Install Root Certificate |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1085 | Rundll32 |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1127 | Trusted Developer Utilities Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1070 | Indicator Removal |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1036 | Masquerading |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1601 | Modify System Image |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1107 | File Deletion |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1564 | Hide Artifacts |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1220 | XSL Script Processing |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1170 | Mshta |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1027 | Obfuscated Files or Information |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1562 | Impair Defenses |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1553 | Subvert Trust Controls |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1218 | System Binary Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1135 | Network Share Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1012 | Query Registry |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1124 | System Time Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1082 | System Information Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1033 | System Owner/User Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1482 | Domain Trust Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1217 | Browser Information Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1083 | File and Directory Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1018 | Remote System Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1049 | System Network Connections Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1614 | System Location Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1087 | Account Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1007 | System Service Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1518 | Software Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1016 | System Network Configuration Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1057 | Process Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1046 | Network Service Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1069 | Permission Groups Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1120 | Peripheral Device Discovery |
Sub Techniques |
Detections |
Mitigations |
Execution | T1559 | Inter-Process Communication |
Sub Techniques |
Detections |
Mitigations |
Execution | T1085 | Rundll32 |
Sub Techniques |
Detections |
Mitigations |
Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
Execution | T1203 | Exploitation for Client Execution |
Sub Techniques |
Detections |
Mitigations |
Execution | T1047 | Windows Management Instrumentation |
Sub Techniques |
Detections |
Mitigations |
Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
Execution | T1204 | User Execution |
Sub Techniques |
Detections |
Mitigations |
Execution | T1106 | Native API |
Sub Techniques |
Detections |
Mitigations |
Execution | T1170 | Mshta |
Sub Techniques |
Detections |
Mitigations |
Execution | T1569 | System Services |
Sub Techniques |
Detections |
Mitigations |
Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
Sub Techniques |
Detections |
Mitigations |
Exfiltration | T1567 | Exfiltration Over Web Service |
Sub Techniques |
Detections |
Mitigations |
Exfiltration | T1020 | Automated Exfiltration |
Sub Techniques |
Detections |
Mitigations |
Exfiltration | T1030 | Data Transfer Size Limits |
Sub Techniques |
Detections |
Mitigations |
Exfiltration | T1041 | Exfiltration Over C2 Channel |
Sub Techniques |
Detections |
Mitigations |
Exfiltration | T1011 | Exfiltration Over Other Network Medium |
Sub Techniques |
Detections |
Mitigations |
Exfiltration | T1029 | Scheduled Transfer |
Sub Techniques |
Detections |
Mitigations |
Impact | T1529 | System Shutdown/Reboot |
Sub Techniques |
Detections |
Mitigations |
Impact | T1490 | Inhibit System Recovery |
Sub Techniques |
Detections |
Mitigations |
Impact | T1485 | Data Destruction |
Sub Techniques |
Detections |
Mitigations |
Impact | T1531 | Account Access Removal |
Sub Techniques |
Detections |
Mitigations |
Impact | T1561 | Disk Wipe |
Sub Techniques |
Detections |
Mitigations |
Impact | T1498 | Network Denial of Service |
Sub Techniques |
Detections |
Mitigations |
Impact | T1489 | Service Stop |
Sub Techniques |
Detections |
Mitigations |
Impact | T1486 | Data Encrypted for Impact |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1566 | Phishing |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1189 | Drive-by Compromise |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1195 | Supply Chain Compromise |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1199 | Trusted Relationship |
Sub Techniques |
Detections |
Mitigations |
Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
Lateral Movement | T1097 | Pass the Ticket |
Sub Techniques |
Detections |
Mitigations |
Lateral Movement | T1563 | Remote Service Session Hijacking |
Sub Techniques |
Detections |
Mitigations |
Lateral Movement | T1570 | Lateral Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
Lateral Movement | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1060 | Registry Run Keys / Startup Folder |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1505 | Server Software Component |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1176 | Browser Extensions |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1137 | Office Application Startup |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1136 | Create Account |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1037 | Boot or Logon Initialization Scripts |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1037 | Boot or Logon Initialization Scripts |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
Reconnaissance | T1592 | Gather Victim Host Information |
Sub Techniques |
Detections |
Mitigations |
Reconnaissance | T1595 | Active Scanning |
Sub Techniques |
Detections |
Mitigations |
Resource Development | T1588 | Obtain Capabilities |
Sub Techniques |
Detections |
Mitigations |
Resource Development | T1587 | Develop Capabilities |
Sub Techniques |
Detections |
Mitigations |
Resource Development | T1583 | Acquire Infrastructure |
Sub Techniques |
Detections |
Mitigations |
Total Count : 907
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdfhttps://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot
https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html
https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam
http://www.secureworks.com/research/threat-profiles/gold-evergreen
https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/
https://unit42.paloaltonetworks.com/atoms/obscureserpens/
https://thedfirreport.com/2021/01/31/bazar-no-ryuk/
https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates
https://www.youtube.com/watch?v=EyDiIAt__dI
https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/
https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/
https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf
https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/
https://web.br.de/interaktiv/ocean-lotus/en/
https://twitter.com/felixw3000/status/1521816045769662468
https://blog.talosintelligence.com/2018/06/my-little-formbook.html
https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/
https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/
https://www.netscout.com/blog/asert/double-infection-double-fun
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta
https://isc.sans.edu/diary/rss/27176
https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx
https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html
https://www.group-ib.com/blog/renaissance
https://www.riskiq.com/blog/labs/cobalt-strike/
https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html
https://www.qurium.org/alerts/targeted-malware-against-crph/
https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/
https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/
https://thedfirreport.com/2022/03/07/2021-year-in-review/
https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c
https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md
https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus
https://isc.sans.edu/diary/rss/28752
https://www.youtube.com/watch?v=ysN-MqyIN7M
https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/
https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/
https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://embee-research.ghost.io/unpacking-malware-with-hardware-breakpoints-cobalt-strike/
https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI
https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/
https://twitter.com/AltShiftPrtScn/status/1350755169965924352
https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/
https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf
https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/
https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html
https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
https://intel471.com/blog/conti-emotet-ransomware-conti-leaks
https://intel471.com/blog/shipping-companies-ransomware-credentials
https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/
https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://github.com/Apr4h/CobaltStrikeScan
https://phishme.com/loki-bot-malware/
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf
https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf
https://redcanary.com/blog/getsystem-offsec/
https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/
https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I
https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html
https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf
https://securelist.com/apt-trends-report-q3-2020/99204/
https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv
https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html
https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/
https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/
https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/
https://www.uperesia.com/analysis-of-a-packed-pony-downloader
https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/
https://www.knowbe4.com/pony-stealer
https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/
https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
https://www.tgsoft.it/news/news_archivio.asp?id=1568
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
https://www.secureworks.com/research/threat-profiles/bronze-president
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3
https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/
https://twitter.com/TheDFIRReport/status/1359669513520873473
https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/
https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/
https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/
https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023
https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf
https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html
https://paper.seebug.org/1301/
https://www.inde.nz/blog/different-kind-of-zoombomb
https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/
https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/
https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html
https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire
https://www.lac.co.jp/lacwatch/report/20220307_002893.html
https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors
https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b
https://twitter.com/Unit42_Intel/status/1461004489234829320
https://community.riskiq.com/article/c88cf7e6
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/
https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/
https://asec.ahnlab.com/en/47455/
https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware
https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf
https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/
https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper
https://www.malware-traffic-analysis.net/2021/09/17/index.html
https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads
https://censys.com/a-beginners-guide-to-hunting-open-directories/
https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b
https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros
https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf
https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/
https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes
https://embee-research.ghost.io/decoding-a-cobalt-strike-vba-loader-with-cyberchef/
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html
https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf
https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf
https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf
https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf
https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/
https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/
http://reversing.fun/posts/2021/06/08/lokibot.html
https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf
https://www.elastic.co/security-labs/grimresource
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
https://www.ironnet.com/blog/ransomware-graphic-blog
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/
https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html
https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html
https://embeeresearch.io/shodan-censys-queries/
https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html
https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf
https://explore.group-ib.com/htct/hi-tech_crime_2018
https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack
https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/
https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
https://twitter.com/swisscom_csirt/status/1354052879158571008
https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike
https://www.secureworks.com/research/threat-profiles/gold-dupont
https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/
https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/
https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/
https://www.mandiant.com/resources/unc2452-merged-into-apt29
https://www.atomicmatryoshka.com/post/malware-headliners-lokibot
https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/
https://asec.ahnlab.com/ko/19640/
https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf
https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
https://twitter.com/elisalem9/status/1398566939656601606
https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/
https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
https://isc.sans.edu/diary/rss/28664
https://msrc.microsoft.com/blog/2022/10/hunting-for-cobalt-strike-mining-and-plotting-for-fun-and-profit/
https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure
https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/
https://www.bitsight.com/blog/emotet-botnet-rises-again
https://youtu.be/_VZCocEFHgk?feature=shared
https://community.riskiq.com/article/0bcefe76
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks
https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/
https://securelist.com/apt-luminousmoth/103332/
https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/
https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/
https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/
https://www.accenture.com/us-en/blogs/security/ransomware-hades
https://www.prevailion.com/what-wicked-webs-we-unweave/
https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/
https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf
https://github.com/sophos-cybersecurity/solarwinds-threathunt
https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/
https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/
https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html
https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf
https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/
https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html
https://security.macnica.co.jp/blog/2022/05/iso.html
https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html
https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive
https://isc.sans.edu/diary/28636
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
https://youtu.be/aQwnHIlGSBM
https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html
https://cert.gov.ua/article/619229
https://twitter.com/Cryptolaemus1/status/1407135648528711680
https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love
https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf
https://cert.gov.ua/article/955924
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf
https://www.macnica.net/file/mpression_automobile.pdf
https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html
https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20
https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists
https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/
https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/
https://www.mandiant.com/resources/defining-cobalt-strike-components
https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/
https://www.youtube.com/watch?v=gfYswA_Ronw
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry
https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py
https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting
https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md
https://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/
https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/
https://isc.sans.edu/diary/26752
https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021
https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk
https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive
https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims
https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/
http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html
https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811
https://intel471.com/blog/a-brief-history-of-ta505
https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/
https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/
https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf
https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage
https://d01a.github.io/syscalls/
https://unit42.paloaltonetworks.com/atoms/mulelibra/
https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/
https://www.secureworks.com/research/threat-profiles/gold-kingswood
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
http://www.secureworks.com/research/threat-profiles/gold-winter
https://thedfirreport.com/2022/04/25/quantum-ransomware/
https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/
https://www.ic3.gov/Media/News/2021/210823.pdf
https://www.youtube.com/watch?v=N0wAh26wShE
https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/
https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489
https://malware-traffic-analysis.net/2021/09/29/index.html
https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine
https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my
https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html
https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#
https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/
https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718
https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/
https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/
https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html
https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter
https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/
https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf
https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/
https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf
https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/
https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/
https://www.arashparsa.com/catching-a-malware-with-no-name/
https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
https://us-cert.cisa.gov/ncas/alerts/aa21-148a
https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/
https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf
https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought
https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware
https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/
https://www.secureworks.com/research/darktortilla-malware-analysis
https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a